1, 2, 3, 4, 5 Ways to a Successful Social Attack

In its recent Annual Fraud Indicator, the National Fraud Authority highlighted that mass marketing fraud against individuals cost the UK economy £3.5 billion in 2011, that is ten time more than the cost of plastic card fraud in the same year, or equivalent to the total fraud losses incurred by the financial services sector in the same period! Sobering perspective, don’t you think? We all know that mass marketing fraud is where criminals aim to defraud multiple individuals to maximise revenue by persuading victims to transfer monies in advance in exchange for promised goods, services or benefits. And we all know that this is usually done via mass-communications media (such as telephone calls, letters, emails and text messages) and ranges from foreign lottery/ sweepstake frauds through to ponzi schemes and romance frauds or any other abuse of trust…

We would also be forgiven to think that these scams are so obvious that those who get caught should definitely know better. So, let’s do a little experiment… My bet is that I can probably catch you out in five tries.

The idea of this post was given to me by Andy Dancer, CTO EMEA at Trend Micro and his presentation at the Spring SASIG this year. Mass marketing fraud is not new, so I really do not expect any of you to fall for the very obvious…

Inheritance scam (first try)

The foreign heir/heiress to a substantial fortune where he/she offers you a percentage of the fortune in exchange for your help with money transfers and advance fees… Traditionally, this has been done via letters or email, and way back, lots of otherwise savvy individuals got caught out and we now all know better. However, criminals are nothing if not innovative and with their fingers always on the pulse, they also move with the times: this scheme recently received a makeover with the use of Facebook… OK, you were not fooled, but how many people you know would?…

Updating Bank Details (second try)

You receive an email from your bank that a fraudulent transaction may have been performed on your account and that you are required to check/update your details by following a link in the email. Yes, the link may look genuine, and we all know not to click on embedded email links. We also all know how to find out the actual URL behind the embedded link, but what if the link looked like http://onlinebanking-chase.com/checking/ssl/update.php? OK, you may not fall for this one, but how many people you know would? How many people can recognise a phishing site (spelling mistakes, etc.) and a phishing URL (See section 2 of bustspammers page on phishing)?

So, let’s step it up a bit…

The fake app (third try)

This app was popular on iOS and the fake site advertised the “new” Android version:

The following text courtesy of Trend Micro: Once the application is installed and run, it creates shortcuts on an infected smartphone’s homepage. If the Android-based device has Facebook installed, it asks the user to share the fake app on Facebook before playing the game. It would also prompt the user to rate the application in the Android Market. Once user has shared and rated the app, it displays a countdown of the app’s release instead of showing the actual game and was capable of displaying ads using the mobile notification. (In this instance, if you checked the information on the games developer for this Android version of the game, it was not the same as the developer for the iOS version. This app was since taken down). Now, be truthful, could you (or someone you know) have fallen for something similar?…

The malware infection that begins with winscreen fliers (fourth try)

This one began with the use of fliers put on windscreens at public car parks and was an innovative way of social-engineering potential victims into visiting a malicious website. The text of the flier read:

PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to [website-redacted].

When following the link, victims would be tricked into installing fake anti-virus software (Full story here), and all sorts of havoc ensued.

How close were we on this one?…

The LinkeIn invite (fifth try)

What was common with the first four attempts is that you were not expecting them, but what if the scammers have studied you, and sent you something you might actually expect…

You might not have fallen for any of these attempts, but on a personal level, how many members of your family would? On a professional level, how many employees in your organisation would, from field staff to C-level execs? Different people will have different thresholds to these attacks which brings me to the whole point of this post:

Security education and awareness is key at all socio-economic levels, whether on a personal or professional front. Our duty, as fraud and infosec professionals, is to keep educating and spreading the word. And we might even contribute to our country’s economy by reducing fraud…

Until next time…

neirajones

About Neira Jones

With more than 20 years Financial Services experience, Neira is currently Head of Payment Security at Barclaycard where she is responsible for security compliance of circa 100,000 customers & 3rd parties. She has received the Information Security Person of the Year Award in April 2012 from SC Magazine at the same time as her team scooped up the prestigious SC Magazine Award for Information Security Team of the Year for the 2nd year in a row.

Not content with this, February 2012 saw Barclaycard winning two awards at the Merchant Payments Ecosystem conference for “Data Security” & “Merchants” for successfully steering Barclaycard and its customers through the changes in payment security, and in particular with the PCI DSS (Payment Card Industry Data Security Standard). She is a member of the Infosecurity Europe Hall of Fame and has been on the PCI Security Standards Council Board of Advisors since 2009.